Update file_event_win_anydesk_artefact.yml

[fornotes]

Summary of the Pull Request

Removing ".temp" condition for TargetFileName

To test this rule:

• I downloaded latest AnyDesk.exe (9301F6668A60613EA24505B0DE6BC59B0E98B9F68A5C8A990C60CA076012D528) from hxxps[://]anydesk[.]com
• Installed Sysmon with a test config that logs all file creation events under C:\user*\AppData\Roaming\AnyDesk\ directory
• Next ran AnyDesk.exe by double clicking on it

AnyDesk.exe did create user.conf and system.conf file, but these files did not have ".temp" in their file name.

Changelog

fix: Anydesk Temporary Artefact - Remove unnecessary logic from the detection section.

Example Log Event

Sysmon Config used during the test

<Sysmon schemaversion="4.90">
	<!-- Hashing algorithms that can be used are md5,sha1,sha256,imphash or * for all,
  more than once can be specified separated by using comas -->
	<HashAlgorithms>md5</HashAlgorithms>
	<!-- Checking for signature revocation for drivers. -->
	<CheckRevocation/>
	<EventFiltering>
		<!-- Do not log any Process Termination Event. -->
		<ProcessTerminate onmatch="include"></ProcessTerminate>
		<!-- Do not log any Process Creation Event. -->
		<ProcessCreate onmatch="include"></ProcessCreate>
		<!-- Log File Creation Events Where TargetFileName contains \AppData\Roaming\AnyDesk\ . -->
		<FileCreate onmatch="include">
			<TargetFilename condition="contains">\AppData\Roaming\AnyDesk\</TargetFilename>
		</FileCreate>
	</EventFiltering>
</Sysmon>

Output:

Fixed Issues

N/A

SigmaHQ Rule Creation Conventions

• If your PR adds new rules, please consider following and applying these conventions

[frack113]

Hi,
thanks for the return.
As the detection change , we add modified in the rule:

date: 2022/02/11
modified: 2024/07/20

[fornotes]

modified date added to the rule file.